Jump to content
MaxCheaters Official Group on Discord
Top.MaxCheaters.com is now OPEN – Lineage 2 Top Listing

Gracia Final Teleport Crash Partial Fix

eressea
 Share

Recommended Posts

eressea Newbie

eressea

Posted
Posted

There's a race condition error in engine.dll:

 

engine.dll:00CE80AA lea     eax, [eax+edx*4]
engine.dll:00CE80AD cmp     dword ptr [eax+10h], 0  <----- now it's not 0, so it won't jump on the next line
engine.dll:00CE80B1 jz      0CE80C8h     -- meanwhile some other thread sets dword ptr [eax+10h] to 0 --
engine.dll:00CE80B3 mov     ecx, [eax+10h]    <----- so now we have ecx == 0
engine.dll:00CE80B6 mov     ecx, [ecx+1Ch]    <----- read dword ptr [0+1ch] -> CRASH
engine.dll:00CE80B9 test    ecx, 0x4000000
engine.dll:00CE80BF jnz     short loc_CE80C8
engine.dll:00CE80C1 mov     dword ptr [eax+10h], 0
 
It can be fixed this way:
 
engine.dll:00CE80AA lea     eax, [eax+edx*4]
engine.dll:00CE80AD mov     ecx, [eax+10h]   <----- we copy that value from memory
engine.dll:00CE80B0 jecxz   0CE80C8h          <----- and compare it this way - jecxz is a nice instruction :)
engine.dll:00CE80B2 mov     ecx, [ecx+1ch]    <----- even if some other thread resets dword ptr [eax+10h], we have still copy in ecx
engine.dll:00CE80B5 test    ecx, 0x4000000
engine.dll:00CE80BB jne     0CE80C8h
engine.dll:00CE80BD nop
engine.dll:00CE80BE nop           <----- we saved 4 bytes :)
engine.dll:00CE80BF nop
engine.dll:00CE80C0 nop
engine.dll:00CE80C1 mov     dword ptr [eax+10h], 0
 
There are two occurrences of this bug in engine.dll, to fix them both replace following (in unpacked engine.dll ofc)
 
old: 83 78 10 00 74 15 8B 48 10 8B 49 1C F7 C1 00 00 00 04 75 07
new: 8B 48 10 E3 16 8B 49 1C F7 C1 00 00 00 04 75 0B 90 90 90 90
 
old: 83 78 10 00 74 13 8B 48 10 F7 41 1C 00 00 00 04 75 07
new: 8B 48 10 E3 14 F7 41 1C 00 00 00 04 75 0b 90 90 90 90
 
Enjoy ;)
LightFusion Newbie

LightFusion

Posted
Posted

 

There's a race condition error in engine.dll:

 

engine.dll:00CE80AA lea     eax, [eax+edx*4]
engine.dll:00CE80AD cmp     dword ptr [eax+10h], 0  <----- now it's not 0, so it won't jump on the next line
engine.dll:00CE80B1 jz      0CE80C8h     -- meanwhile some other thread sets dword ptr [eax+10h] to 0 --
engine.dll:00CE80B3 mov     ecx, [eax+10h]    <----- so now we have ecx == 0
engine.dll:00CE80B6 mov     ecx, [ecx+1Ch]    <----- read dword ptr [0+1ch] -> CRASH
engine.dll:00CE80B9 test    ecx, 0x4000000
engine.dll:00CE80BF jnz     short loc_CE80C8
engine.dll:00CE80C1 mov     dword ptr [eax+10h], 0
 
It can be fixed this way:
 
engine.dll:00CE80AA lea     eax, [eax+edx*4]
engine.dll:00CE80AD mov     ecx, [eax+10h]   <----- we copy that value from memory
engine.dll:00CE80B0 jecxz   0CE80C8h          <----- and compare it this way - jecxz is a nice instruction :)
engine.dll:00CE80B2 mov     ecx, [ecx+1ch]    <----- even if some other thread resets dword ptr [eax+10h], we have still copy in ecx
engine.dll:00CE80B5 test    ecx, 0x4000000
engine.dll:00CE80BB jne     0CE80C8h
engine.dll:00CE80BD nop
engine.dll:00CE80BE nop           <----- we saved 4 bytes :)
engine.dll:00CE80BF nop
engine.dll:00CE80C0 nop
engine.dll:00CE80C1 mov     dword ptr [eax+10h], 0
 
There are two occurrences of this bug in engine.dll, to fix them both replace following (in unpacked engine.dll ofc)
 
old: 83 78 10 00 74 15 8B 48 10 8B 49 1C F7 C1 00 00 00 04 75 07
new: 8B 48 10 E3 16 8B 49 1C F7 C1 00 00 00 04 75 0B 90 90 90 90
 
old: 83 78 10 00 74 13 8B 48 10 F7 41 1C 00 00 00 04 75 07
new: 8B 48 10 E3 14 F7 41 1C 00 00 00 04 75 0b 90 90 90 90
 
Enjoy ;)

 

do you even know what that code is doing ? originaly , just setting to zero wouldnt explain the crash.

eressea Newbie

eressea

Posted
  • Author
Posted

do you even know what that code is doing ? originaly , just setting to zero wouldnt explain the crash.

 

Not in the global scope, but for example the first one is in UGameEngine::LoadMapThread.

They call something like

 

UObjectLoader *res = UObject::GetLoader(something);

if (res->var84h[something2]->var10h) {

    here they access res->var84h[something2]->var10h->var1c

    which is totally wrong if you don't have mutex here

}

 

so my fix does simply this:

 

void *someptr = res->var84h[something2]->var10h;

if (*someptr) {

    now i work with someptr which is copy

}

 

the best solution would be to add mutexes, but I don't have the source code :))

LightFusion Newbie

LightFusion

Posted
Posted

Not in the global scope, but for example the first one is in UGameEngine::LoadMapThread.

They call something like

 

UObjectLoader *res = UObject::GetLoader(something);

if (res->var84h[something2]->var10h) {

    here they access res->var84h[something2]->var10h->var1c

    which is totally wrong if you don't have mutex here

}

 

so my fix does simply this:

 

void *someptr = res->var84h[something2]->var10h;

if (*someptr) {

    now i work with someptr which is copy

}

 

the best solution would be to add mutexes, but I don't have the source code :))

well thats acctualy explains better, a check if exist pattern 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • Splicho
      NimeraCP: A Modern Web Control Panel for L2java

      By Splicho · Posted

      Introducing: Daily & Weekly Missions!   I've released a major panel update with a new Missions system and expanded language support.   Players can now complete daily and weekly missions directly through the panel and claim rewards such as balance or items. Mission progress is tied to in-game activity and supported panel actions, and the update also adds a dedicated Missions page, dashboard mission previews, claimable mission indicators, and full admin tools for creating and managing missions.   The Roll page now shows the potential reward drops below the roll container.   Alongside this, I’ve expanded the panel’s language support with new locale options, including Bulgarian, Czech, Georgian, Lithuanian, Polish, Romanian, Japanese, Simplified Chinese, and Traditional Chinese.     The Demo is now updated with the new features for you to try out!
    • GX-Ext
      Source+Server+Cliente - L2Devs files (L2Devs.com)

      By GX-Ext · Posted

      I sell complete packs. If you want to add an item, NPC, etc., you have to do that yourselves. Your friend bought the pack; he's the one who needs to configure his server type. He received what he bought as agreed, and I'm saying this without knowing who you're talking about, because anyone who buys something receives what was agreed upon.   Regards. mmmmm L2Velmore ????   If that's the one, I see everything went well... if I remember correctly you were crying over $100, I gave you a better price, and I suppose you made thousands with that... And you're still coming back to complain? :=)
    • Medson™
      L2j aCis Toggle Movement Fix

      By Medson™ · Posted

      I know many people have struggled with this specific issue and had trouble setting up the correct behavior for Toggle skills in aCis. By default, toggles interrupt the player's movement (retail-like), which often feels clunky to players who prefer a smoother, more modern experience. I've prepared a clean solution that eliminates this "freeze" and allows for fluid movement while toggling your auras. Below is the code on how to achieve this. Hope it helps! Changes in PlayerAI.java: Modified doActiveIntention to properly update the active state without stalling. Removed the forced stop() during toggle casting. Added a MoveToLocation broadcast to ensure other players see your movement correctly (prevents visual "teleporting" or desync). Best regards 😃 diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/model/actor/ai/type/PlayerAI.java b/aCis_gameserver/java/net/sf/l2j/gameserver/model/actor/ai/type/PlayerAI.java index ba0425a..1b2658d 100644 --- a/aCis_gameserver/java/net/sf/l2j/gameserver/model/actor/ai/type/PlayerAI.java +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/model/actor/ai/type/PlayerAI.java @@ -28,6 +28,7 @@  import net.sf.l2j.gameserver.network.serverpackets.ActionFailed;  import net.sf.l2j.gameserver.network.serverpackets.AutoAttackStart;  import net.sf.l2j.gameserver.network.serverpackets.ChairSit; +import net.sf.l2j.gameserver.network.serverpackets.MoveToLocation;  import net.sf.l2j.gameserver.network.serverpackets.MoveToLocationInVehicle;  import net.sf.l2j.gameserver.network.serverpackets.MoveToPawn;  import net.sf.l2j.gameserver.network.serverpackets.StopMove; @@ -159,7 +160,10 @@      @Override      public synchronized void doActiveIntention()      { -        doIdleIntention(); +        prepareIntention(); +        _currentIntention.updateAsActive(); +        if (!getActor().isMoving()) +            thinkIdle();      }            @Override @@ -280,8 +284,9 @@                    if (skill.isToggle())          { -            getActor().getMove().stop();              getActor().getCast().doToggleCast(skill, target); +            if (getActor().isMoving()) +                getActor().broadcastPacket(new MoveToLocation(getActor()));          }          else          { https://pastebin.com/twZujZ3Y
    • EUSOUOMESTREDOSMAGOS
      Source+Server+Cliente - L2Devs files (L2Devs.com)

      By EUSOUOMESTREDOSMAGOS · Posted

      The pot calling the kettle black.  '' GX-EXT'' He did some work for a friend and hasn’t finished it to this day—so, the pot calling the kettle black. I find it funny.   '' GX-EXT' IS TRASH PERSONA      
    • Atom
      Decryptor ActiveAnticheat files Lineage2

      By Atom · Posted

      Looks that many source is gonna leak?

  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..